TERMS & CONDITIONS OF AGREEMENT FOR PALOMA IN SWEDEN AB’S SERVICES
Customer Agreement- The agreement that has been entered into between PALOMA IN SWEDEN AB (”Paloma”) and the Customer.
Terms & Conditions- Refers to the terms and conditions in the current agreement.
Agreement Period- Refers to the period on which Paloma and the Customer have reached agreement for the use of the Service.
Credits- Refers to a pot of credits i.e. a pot consisting of the number of attendees in Magnet, the number of responses in Kurios and the number of mailings in Postman, which the Customer has purchased pursuant to agreement.
The Customer- Refers to the natural or legal person with whom Paloma has entered into a Customer Agreement for licence of the Service.
The Service- Refers to Paloma’s products: Magnet, Kurios and Postman.
Recipient- Refers to the natural or legal person to whom the Customer sends newsletters, invitations and other services via the Service.
Intellectual property rights- Refers to all intellectual property rights of the Service to which Paloma has an exclusive right, including related rights, as well as the further development and updating of the Service.
User rights- Refers to the limited right granted to the Customer through the Customer Agreement and the Terms & Conditions to use the Service during the agreed Agreement Period.
Section 1 General information
Together with the Customer Agreement, these Terms & Conditions regulate the contractual relationship between Paloma and the Customer regarding the Service. In the event of discrepancies between the Terms & Conditions and the Customer Agreement, the Customer Agreement shall take precedence. Paloma and the Customer are hereinafter jointly referred to as the Parties and individually as Party.
Section 2 Entering into the Customer Agreement
An order for the Service can be placed using a form on Paloma’s website, via email or verbally. In order to facilitate full use of the Service, someone who wishes to become a user of the Service shall give Paloma the details requested by Paloma in connection with the registration. The Customer is obligated to sign a written agreement in conjunction with the order if Paloma so requests. If a Customer Agreement has not been entered into in writing, the
Customer Agreement shall be deemed to have been entered into when Paloma has confirmed the order or when the Service has been opened for use.
The Customer selects a username and a password of his own choosing. Paloma reserves the right to change the Customer’s identification data for technical reasons, for operational reasons or for other reasons, for example on account of a decision by a competent authority.
Section 3 Cancellation of the Customer Agreement
Notice of cancellation shall be provided in writing via email. Failure to pay an invoice is not deemed to constitute cancellation of the Customer Agreement. Paloma does not pay refunds of previously made payments, compensation for the unused part of the Agreement Period or Credits in any circumstance other than circumstances whereby the cancellation has been made on account of a fault or delay in the Service that depends on a circumstance on the part of Paloma, and such circumstance is not of insignificance to the Customer.
Cancellation of the Customer Agreement must be made prior to the commencement of a new Agreement Period. It is the Customer’s responsibility to be aware of when a new Agreement Period starts. Paloma is entitled to invoice the Customer for each Agreement Period that has started. Paloma does not pay a refund as compensation for any time remaining in the period that has started in accordance with the Customer Agreement. This applies even if there is still a pot with Credits.
If the Customer Agreement has been cancelled, the Service is closed down automatically on the day after the final day of the current Agreement Period. It is up to the Customer to export the data the Customer wishes to keep prior to the day on which the Service is automatically closed down. Paloma cannot guarantee that the Customer’s data from the Service will be saved, or that a backup of such data will exist, after the expiry of the Agreement Period.
The Customer Agreement is automatically extended if it has not been cancelled prior to the commencement of a new Agreement Period. A Freemium account or an account with Credits is closed down automatically if the Customer has not been logged onto the account for a period of twelve (12) months.
Paloma is entitled to cancel the Customer Agreement with immediate effect if Paloma intends to shut down the Service or incorporate it into another service, or if Paloma changes the Terms & Conditions for connection to the Service, e.g. due to an increase in functionality or the imposition of a charge for the Service. In such case, any outstanding payment will be credited to the Customer by means of a credit note.
With exception for the above, the following terms and conditions apply to payment with a credit or debit card. If there are insufficient funds to cover the automatic card payment, Paloma reserves the right to make further attempts to process the payment during the following ten (10) days. If there are still insufficient funds to cover the payment after this ten-day period, the Customer Agreement is cancelled with immediate effect. However, in such a situation the Service does not cease entirely, but rather continues to run as a Freemium account. In accordance with the above provision, the Freemium account is then closed down automatically if the Customer has not been logged onto the account within a period of twelve (12) months.
Section 4 The Service’s intellectual property rights
Through the Customer Agreement, the Customer is only granted access to a non-exclusive, time-limited right to use the Service. The Customer is also granted a non-exclusive, time-limited right to use further developments, updates or amendments of the Service. The Customer’s user right is limited to that which is specified above and in the Customer Agreement. Otherwise, Paloma retains all rights to the Service, including all Intellectual Property Rights that the Service contains or may come to contain by way of further development, update or amendment of the Service. Paloma’s rights and Paloma’s Service’s rights may not be used in connection with any product or service without Paloma’s written consent.
The Service, or any part thereof, may not be sold, distributed, copied, reproduced or used in any way that is not in compliance with the Customer’s user right pursuant to these Terms & Conditions and the Customer Agreement.
Section 5 Price and payment terms
Payment for the Service takes place in accordance with the applicable pricelist. The price is stated exclusive of VAT or other comparable surcharges and public charges.
The Service is invoiced or paid for via a credit or debit card at the start of the Agreement Period or the extension period. When payment is made against invoice, the payment shall be received by Paloma no later than 15 days after invoice date (unless some other arrangement has been agreed between the Parties). If payment of an invoice is delayed, the Customer is obligated to pay penalty interest to Paloma in accordance with Section 6 of the Swedish Interest Act, calculated from the day on which payment should have been made.
If payment is made by credit or debit card, the amount is immediately charged to the card on purchase of the Service, and thereafter automatically each time the Customer Agreement is extended.
Paloma reserves the right to stop delivery of the Service (or part thereof) if payment is not made on time. It is up to the Customer to inform Paloma of any change of address.
Section 6 Operation, support and customer service
The Service is normally in operation 24 hours a day, seven days a week. Operation of the Service is unsupervised during certain times. Operational downtime may occur during such times. Furthermore, Paloma reserves the right, without prior notice, to restrict or stop the operation of the Service for service-related purposes, e.g. the rectification of bugs, maintenance and upgrades.
In cases where notification is sent to the Customer, such notification will be sent to the email address designated by the Customer for receipt of information concerning the operation of the Service.
Paloma provides the Customer with support if support has been ordered. The support takes place via email concerning questions and enquiries, operational downtime or other problems that arise in relation to the use of the Service. Support cases received during office hours (08.00-17.00 Swedish time) will normally be answered within four hours. Shorter opening hours may apply to the support function during the summer period. For emergency support cases, the Customer is referred to Paloma’s switchboard, +46 (0)225 410 22, to report a case.
Section 7 Processing of personal data
Through provision of the Service, Paloma also processes personal data on behalf of the Customer. Such data may, for example, concern subscribers to a newsletter or attendees at an event.
In relation to such personal data, the Customer is the personal data controller and Paloma is the Customer’s personal data processor. By accepting these Terms & Conditions, the Customer also accepts the Personal Data Processor Contract below.
In its role as personal data controller, the Customer must comply with the requirements imposed by the General Data Protection Regulation (GDPR). It is therefore required of the Customer to have lawful grounds for all personal data that is processed, and to ensure that the personal data is processed in accordance with the principles of GDPR.
Section 8 Technical conditions for the Service
In order to use the Service, the Customer’s technical conditions must satisfy the minimum requirements for the Service as specified on Paloma’s website.
Section 9 Restrictions and refusal to deliver
Paloma reserves the right to examine the material that the Customer communicates via the Service, in order to ensure that the Customer is in compliance with its undertakings pursuant to these Terms & Conditions. However, Paloma undertakes no responsibility or liability for closely examining the Customer’s use of the Service.
The Customer is only entitled to use the Service with observance of applicable legislation.
Paloma also reserves the right to immediately stop delivery of the Service if the Customer’s use of the Service represents a breach of these Terms & Conditions or other reasonable written restrictions from Paloma. Paloma also reserves the right to immediately stop delivery of the Service in the event of some other use that is harmful to Paloma, the Service or the Recipients of the Service in some other manner.
Examples of restrictions in the use include:
- offensive content such as racism, Nazism/fascism, slander, insults, persecution, threats and pornography;
- chain letters and pyramid schemes;
- creating a false identity with the aim of misleading others;
- sending, or in some other way making available, material that is protected by intellectual property rights, without having acquired the rights to the material or having obtained all necessary permissions to utilise the material;
- infringing Paloma’s or other parties’ intellectual property rights;
- or in some other way making available, material that contains a virus, Trojan horses, worms, delayed-action bombs, cancelbot files, hazardous files or other similar software which may damage the operation of another party’s computer or property;
- falsifying or removing author attributions, legal or other types of appropriate notification or ownership indications regarding the origin of transferred material or messages;
- breaching rules of conduct, good practice or other guidelines that may be applicable to the Service;
- seeking, without permission, to gain access to, disrupt or discontinue the accounts, computers or networks that are related to the Service;
- preparing access to, or attempting to prepare access to, information or data via Service, except for information that Paloma intends to make available to the Customer;
- utilising the access to the Service for the purpose of obtaining information to design, develop or update other software;
- charging others for using the Service directly or indirectly;
- circumventing, in some manner, the applicable charge policy for the Service, for example by systematically importing and exporting one and the same address or all or large parts of the list of Recipients; or
- the Customer sends emails in such a way that it entails, or may come to entail, some form of blacklisting, spam filtering or blocking of the Service’s IP address.
If the Service (or part thereof) has been stopped due to use that is in breach of the provisions in this Section 9, this does not provide entitlement to any refund to the Customer. The Customer’s right to use the Service ceases with immediate effect when the Service has been stopped. Paloma accepts no liability in relation to the Customer for the loss of data as a consequence of the Service having been stopped.
Section 10 The Customer’s responsibility
The Customer is responsible for ensuring that the Service is used in accordance with applicable laws and regulations, both in Sweden and internationally. The Customer undertakes to indemnify Paloma for all financial or other loss or damage that is related to the Customer’s use of the Service.
The Customer undertakes not to reveal his password to any unauthorised person and to ensure that documents containing details of the password are stored in such a way that no unauthorised person can gain access to the password. The Customer shall immediately ask Paloma to block the password if it is suspected that an unauthorised person has become aware of the Customer’s password.
The Customer is solely responsible in relation to Paloma for the information that is transferred, stored or provided through the Service.
The Customer undertakes to use the Service in accordance with the permission marketing principle. This means that the Service will be used to further develop existing relations. A Recipient of a mailing must have directly or indirectly consented to receiving information from the Customer. The consent from the Recipient may arise, for example, through an existing customer relationship, personal contacts or a request/application to receive information from the Customer via the Service.
A Recipient of information via the Service shall always be offered the opportunity of deregistering from further mailings through the use of a clearly visible, clickable link in each individual mailing. It shall be easy to de-register, and a Recipient’s desire to do so must always be respected. Sending invitations to launch a newsletter is acceptable on condition that they are one-off invitations to each Recipient and are sent to a relevant target group that can be supposed to have an interest in the content.
The Service is otherwise used in accordance with the industry organisation SWEDMA’s ethical guidelines regarding email marketing.
Paloma does not permit the Customer to enter purchased addresses or address lists into the Service.
Section 11 Provisions regarding Paloma account
The Customer understands that there may only be one registered sender per account. A Customer is entitled to open an account on behalf of a client. However, there may only be one such registered client/sender per Paloma account.
Section 12 Limitation of Paloma’s liability
Paloma is not liable for inconvenience, damage or loss that is due to circumstances beyond Paloma’s control or that Paloma could not reasonably have known about or predicted.
Such circumstances, constituting “Force Majeure” shall be deemed to include, but are not limited to: accidents, war, riots, severe weather, labour market conflict, faults in an operator’s, a business partner’s or a supplier’s IT service, data network, payment solution or similar event that is beyond Paloma’s control. Under no circumstances is Paloma liable for indirect loss or damage or consequential loss or damage. Consequently, Paloma is not liable for loss of profits or any other kind of indirect damage or loss.
Paloma’s liability as a consequence of the Customer Agreement is always limited to a total amount not in excess of an amount that equates to the payments made by the Customer during the previous twelve (12) months prior to the occurrence of the loss or damage.
Section 13 Paloma’s liability
In the event of a fault or delay on the part of Paloma which is not insignificant to the Customer, the Customer may receive an adjustment through a free-of-charge extension of the Agreement Period in relation to the relevant part of service loss. Under no circumstances are damages payable for loss of service in accordance with the above.
If no claim for compensation is made within one month of the date on which the Service should have opened or the fault should have ceased, the Customer forfeits his right to compensation if the claim could have been made at the right time.
Section 14 Amendments to the Terms & Conditions
Paloma has the right to revise these Terms & Conditions by publishing an updated version on the website. The amended Terms & Conditions are applicable as of the date/time they are published on the website.
Section 15 Changes to charges
A change to charges is made by entering the change onto the pricelist that applies at any given time. If the Customer does not approve the change or surcharge, the Customer is entitled to cancel his Customer Agreement in accordance with Section 3. If such cancellation does not take place, the Customer is deemed to have approved the new terms.
The new terms are applied as of the start of the next Agreement Period, although always at least one (1) month after Paloma has informed the Customer of the impending increase. The information is sent to the email address designated by the Customer for receipt of information concerning the operation of the Service.
Section 16 Transfer of agreement
The Customer is not entitled to transfer this agreement to a third party without written consent from Paloma AB.
Paloma has the right, without having to obtain the Customer’s consent, to entirely or partially transfer the Customer Agreement, or its rights and obligations under the Customer Agreement, to companies that are part of the same group as Paloma. Paloma has the right to engage the services of subcontractors for fulfilment of its undertakings pursuant to the Customer Agreement.
Section 17 Confidentiality
Each Party undertakes not to disclose to a third party, confidential information that a Party receives from the other Party, or which comes to light during the use of the Service.
Section 18 Information to a third party
Paloma is not entitled to give out address lists to a third party without the Customer’s approval.
Section 19 Changes to the Service
Paloma is entitled to change the design of the Service without prior notification, and irrespective of its reasons for doing so. Such a change becomes valid with immediate effect.
In connection with all changes that may conceivably affect the Customer’s use of the Service, the Customer shall receive, within a reasonable period of time, an e-letter containing the relevant information, sent to the email address designated by the Customer for receipt of information concerning the operation of the Service.
Section 20 Transfer of the Service
The Customer is not entitled to transfer the Service to a third party.
Section 21 Interpretation precedence
Paloma enters into agreements with customers in several countries, and translates the Customer Agreement and the Terms & Conditions into various languages as necessary. If an agreement is open to varying interpretation due to language-related differences, the Swedish version of the agreement shall always be afforded precedence when it comes to interpretation.
Section 22 Applicable law
The formalities for entering into an agreement and the matter of the validity of the agreement between Paloma and a Customer shall be settled in accordance with Swedish law.
An agreement that has been entered into between Paloma and a Customer shall be interpreted and have the legal effects pursuant to Swedish law.
Section 23 Disputes
Any dispute arising between the Parties shall be settled in accordance with Swedish law and by a Swedish court of law, whereby Stockholm District Court is the court of first instance.
PERSONAL DATA PROCESSOR CONTRACT
1.1 The Customer and Paloma have entered into an agreement regarding the use of Paloma’s services (the ”Customer Agreement”) and have approved the general terms and conditions of the agreement (the ”Terms & Conditions”).
1.2 This personal data processor contract (the ”Processor Contract”) only regulates matters concerning Paloma’s Processing of Personal Data on behalf of the Customer. In the event of discrepancies between the Customer Agreement and the Processor Contract, the Customer Agreement shall take precedence.
2.1 Terms defined with uppercase letters in the Processor Contract, which also appear in the General Data Protection Regulation (EU) 2016/679 (”GDPR”), have the same definition as in GDPR.
The Customer Agreement refers to the agreement regarding the use of Paloma’s services that has been entered into prior to, or in conjunction with, the entering into of this Processor Contract.
The Processor Contract refers to this Personal Data Processor Contract.
Legislation refers to the applicable Swedish legislation at any given time. Personal data is primarily regulated by the General Data Protection Regulation (EU) 2016/679 (”GDPR”) and the Swedish Act with Supplementary Provisions concerning the EU General Data Protection Regulation (2018:218). The Parties understand and agree that this Processor Contract shall be interpreted in accordance with the Swedish legislation that applies at any given time.
Personal Data Controller (“the Controller”) refers to the Customer, who determines the purpose and means of the Processing.
Personal Data Processor (“the Processor”) refers to Paloma, which processes Personal Data on behalf of the Controller.
Standard Contractual Clauses refers to the clauses for the protection of Personal Data transferred to a third country in accordance with the European Commission’s decision C(2010)593 of 5 February 2010, or equivalent clauses which replace these.
Sub-processor refers to a party engaged by the Processor with the assignment, and with the responsibility that rests on a Processor, to carry out Processing in accordance with this Processor Contract and the Controller’s instructions.
3.1 The purpose of the Processor Contract is to establish such a binding written contract regarding the personal data processor as is required according to the Legislation.
3.2 Furthermore, the purpose is to ensure that the security and confidentiality of the Personal Data is maintained during the Processor’s Processing of the Personal Data.
4.1 The Controller is responsible for ensuring that Processing takes place in accordance with the Legislation applicable at any given time.
4.2 The Parties understand and agree that, if the Legislation or applicable instructions from authorities change significantly, the terms and conditions set out in this Processor Contract shall be adjusted so that they equate, to the greatest extent possible, to the principles originally intended by the Parties when this Processor Contract was entered into.
5. THE CONTROLLER’S RIGHTS AND OBLIGATIONS
5.1 The Controller shall
- a) provide the Processor with such detailed and documented instructions regarding the Processing that the Processor is able to carry out the Processing in accordance with this Processor Contract and the Legislation;
- b) be entitled and obligated to specify the purpose and means of the Processing of the Personal Data;
- c) ensure that everyone whose Personal Data has been registered has received necessary notifications and information, and shall ensure that necessary legal grounds for the transfer of Personal Data to the Processor exist for the relevant time period, which permit the Processor to carry out the Processing in accordance with that which is prescribed herein;
- d) ensure, in the event that the Controller represents its Group companies or a third party in accordance with this Processor Contract, that the Controller has all legal powers to enter into and perform this Processor Contract with the Processor on behalf of the aforementioned Group companies and/or third party, and to allow the Processor to Process the Personal Data in accordance with the terms and conditions set out in this Processor Contract and the Customer Agreement; and
- e) ensure that the Processor has received all necessary information from the Controller in order for the Processor to be able to carry out the Processing in accordance with the Legislation.
6. THE PROCESSOR’S RIGHTS AND OBLIGATIONS
6.1 The Processor shall
- a) Process Personal Data on documented, lawful and reasonable instructions from the Controller, unless otherwise required to do so according to the Legislation, in which case the Processor shall inform the Controller of the legal requirement in question, provided the Legislation does not prohibit the provision of such information;
- b) ensure that persons authorised to carry out the Processing in accordance with this Processor Contract have undertaken to observe a duty of confidentiality or are covered by a statutory duty of confidentiality, such as is set out in this Processor Contract;
- c) take all security measures as are required of the Processor according to the Legislation, in a manner that is set out in this Processor Contract;
- d) comply with the terms and conditions that are set out in the Legislation in relation to the engagement of a Sub-processor, in a manner that is set out in this Processor Contract;
- e) insofar as it is possible, and taking into account the nature of the Processing, assist the Controller by way of appropriate technical and organisational measures, so that the Controller can fulfil its obligation to respond to requests for exercising the data subject’s rights in accordance with the Legislation;
- f) assist the Controller to fulfil its legal obligations, including such obligations regarding security of personal data, notification of a personal data breach, data protection impact assessment and obligations regarding prior consultation, as is required of the Processor according to the Legislation, taking into account the nature of Processing and the information available to the Processor;
- g) on the Controller’s instructions, delete or return all Personal Data to the Controller and delete existing copies, provided storage of the Personal Data is not required according to applicable Legislation. The methods for deletion and/or return shall be determined and agreed between the Parties; and
- h) maintain necessary registers concerning the Processing and provide the Controller with access to all information necessary to demonstrate that the obligations imposed on the Processor have been complied with as stipulated in the Legislation, and facilitate and contribute to audits, including inspections, that are carried out by the Controller or a third party thus mandated by the Controller.
6.2 The Processor does not have the right, other than in accordance with instructions from the Controller, to change the purposes or means of the Processing.
7. SECURITY REQUIREMENTS ETC.
7.1 The Processor shall undertake and maintain appropriate technical and organisational measures for the protection of the Personal Data, taking into account:
- a) the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risks, of varying likelihood and severity, for the rights and freedoms of natural persons; and
- b) the risks that the Processing entails, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to Personal Data that has been transferred, stored or in some other way processed.
7.2 The Controller is responsible for ensuring that the Processor is informed about all circumstances (including risk assessment and Processing of special categories of Personal Data) regarding the Personal Data provided by the Controller, which affect the technical and organisational measures covered by this Processor Contract.
7.3 The Processor shall notify the Controller, without unreasonable delay, although no later than 48 hours after the matter has come to the attention of the Processor, of the occurrence of, or risk for, a Personal Data Breach.
8.1 The Processor has the right to engage the services of one or more Sub-processors for the performance of the Processor’s obligations according to this Processor Contract.
8.2 If a Sub-processor is engaged, the Processor shall enter into a binding contract with the Sub-processor, whereby the Sub-processor is bound by at least the same obligations as are imposed on the Processor pursuant to the Processor Contract. In such a binding contract, the Sub-processor shall provide sufficient guarantees concerning the implementation of appropriate technical and organisational measures in such a way that the Processing complies with the requirements in the Processor Contract and the Legislation.
8.3 The Processor shall maintain an up-to-date list of all Sub-processors whose services the Processor has engaged at any given time. At the request of the Controller, the Processor shall provide the Controller with a copy of the list of Sub-processors.
8.4 The Processor is fully responsible in relation to the Controller for how a Sub-processor processes personal data, including the security measures applied by the Sub-processor.
8.5 The Processor shall inform the Controller in advance of any and all planned changes, additions or replacements of Sub-processors, so that the Controller has the opportunity to object to such a change if there is objectively acceptable reason to do so.
9. GENERAL INSTRUCTIONS FOR PALOMA’S SERVICES
9.1 If the Customer Agreement involves the Postman (newsletter) service, the Controller’s instructions shall be:
- a) to Process Personal Data on behalf of the Controller by sending out a newsletter created by the Customer to email addresses stipulated in an address list prepared by the Customer,
- b) to Process any Personal Data that exists in the newsletter, and
- c) to save the address list for the purpose of using the email addresses for a later mailing.
9.2 If the Customer Agreement involves the Magnet (event management) service, the Controller’s instructions shall be:
- a) to Process Personal Data on behalf of the Controller by receiving registrations for different types of events,
- b) to sell, in certain cases, paid tickets to these events and thus Process payment information,
- c) to provide the Customer with access to the Personal Data of the data subjects who have registered for the events, consisting primarily of the data subject’s name, contact details and payment information, and
- d) to Process Personal Data by offering a function for ”checking in” registered participants to events.
9.3 If the Customer Agreement involves the Kurios (survey tool) service, the Controller’s instructions shall be:
- a) to Process any Personal Data on behalf of the Controller by sending out a survey questionnaire created by the Customer or Paloma to email addresses stipulated in an address list prepared by the Customer,
- b) to save any Personal Data that arises in conjunction with completion of the questionnaires, and
- c) to Process Personal Data by maintaining statistics regarding the outcome of the surveys.
9.4 It is the Controller who bears the full responsibility for ensuring that the Processing of the Personal Data in the Services fulfils the requirements in the Legislation. It should be noted in particular that special consideration should be given to the saving of address lists and the collection of survey questionnaires with free text responses when it comes to ensuring compliance with the Legislation’s requirements regarding (among other things) legal grounds, correctness and erasure.
10. TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY
10.1 In the event that the Processor, in conjunction with the Processing, transfers Personal Data to a country outside the European Economic Area (“EEA”) and which is not deemed by the European Commission to ensure an adequate level of protection in relation to the Legislation, the Parties shall enter into an additional contract based on Standard Contractual Clauses.
10.2 If the Processor has engaged the services of a Sub-processor, and such engagement entails the transfer of Personal Data to a country outside the EEA which is not deemed by the European Commission to ensure an adequate level of protection in relation to the Legislation, an additional contract shall be entered into based on Standard Contractual Clauses. Such additional contract shall be entered into between the Controller and the Sub-processor. In the event of discrepancies between this Processor Contract and the aforementioned Standard Contractual Clauses, the Standard Contractual Clauses shall take precedence. Paloma does not currently have any Sub-processors outside the EEA in countries that are not deemed to ensure an adequate level of protection.
11. RIGHT OF ACCESS
11.1 If the Controller so requests, the Processor, without unreasonable delay, shall provide the Controller, or an independent third party engaged by the Controller, with access to such information and documentation as is necessary in order for the Controller to be able to carry out an effective check/review of the Processor’s measures according to this Processor Contract or the Legislation.
11.2 The Controller shall bear the costs that arise in conjunction with a check/review of the Processing of Personal Data carried out by the Processor.
12.1 Unless the Controller’s instructions say otherwise, the Processor shall
- a) observe a duty of confidentiality in relation to all Personal Data provided by the Controller,
- b) ensure that persons authorised to carry out the Processing of the Personal Data have undertaken to observe a duty of confidentiality, and
- c) ensure that Personal Data is not disclosed to a third party without the prior approval of the Controller, unless the Processor is obligated to disclose such information in accordance with mandatory legislation or regulation.
12.2 If a data subject or an authority makes a request related to the Personal Data covered by this Processor Contract, the Processor, as quickly as is reasonably possible, shall notify the Controller of such request before the Processor replies to the request or undertakes other measures regarding the Personal Data.
12.3 In the event that a competent authority demands an immediate reply, the Processor shall notify the Controller of such request as quickly as is reasonably possible after reply to the request has been made. However, if the Processor is prevented by mandatory legislation or a competent authority’s regulations from disclosing such information, the
Processor is not obligated to notify the Controller of such request.
13. LIABILITY AND BREACH OF CONTRACT
13.1 The Controller is responsible for ensuring that the Processing takes place in accordance with the Legislation and the Controller’s obligations pursuant to this Processor Contract. The Controller is also responsible for issuing adequate and lawful instructions to the Processor.
13.2 The Processor is responsible for ensuring that the Processing of Personal Data takes place in accordance with the Controller’s instructions and the Processor’s obligations pursuant to this Processor Contract, as well as in accordance with the Terms & Conditions.
13.3 Each Party shall hold the other Party harmless for any damages or losses (including, for example, but not limited to, administrative sanction fines, damages payable to data subjects, or legal representation fees) which a Party incurs as a result of the other Party having acted in violation of the Processor Contract. However, the Processor’s liability shall be subject to the same limitations as are specified in the Terms & Conditions.
13.4 In the event of the existence of some form of compensatory damage or loss as described above, the Party shall undertake measures to limit the damage or loss, provided such measures do not result in unreasonable costs or are not otherwise unreasonably burdensome.
13.5 If a Party has acted in violation of the Processor Contract in a not insignificant respect, the other Party has the right to enforce early termination of the Customer Agreement with effect from a point in time determined by the other Party.
14. CONTRACT PERIOD
14.1 This Processor Contract applies between the Parties as long as the Processor processes Personal Data as a consequence of its undertaking to deliver services to the Customer in accordance with the Customer Agreement. If the Customer Agreement is terminated or otherwise ceases to apply, and a new such agreement is entered into without the signing of a new personal data processor contract, this Processor Contract shall also apply in relation to the new agreement. This Processor Contract can be terminated on the basis of the terms and conditions that are set out in the Customer Agreement.
15. CONSEQUENCES OF CESSATION OF PROCESSING
15.1 When the Processing has ceased, or prior to this if the Controller so requests, the Processor shall hand over or destroy all Personal Data Processed by the Processor.